First ATM malware is back and badder than ever

Original gangster Skimer goes global

Cybercriminals have retrofitted a strain of ATM malware first discovered in 2009 to create an even more potent threat.

Skimer was the first malicious program to target ATMs*. Seven years later, Russian cybercriminals are reusing the malware – but both the crooks and the program have evolved, to pose an even more potent threat to banks and their customers around the globe.

Kaspersky Lab's expert team discovered traces of an improved version of a Skimer malware on one of the affected bank's ATMs. It was planted there and left inactivated until the cybercriminal sends it a control message. The technique offered criminals an effective mechanism for covering their tracks.

A Skimer attack starts by gaining access to the ATM system – either through physical access or via the bank's internal network. Then, after successfully installing Skimer into the system, it infects the core of an ATM. The malware screws with processes responsible for the machine's interactions with the banking infrastructure, cash processing and credit cards.

The criminals then have full control over the infected ATMs. But they proceed cautiously. Once an ATM is successfully infected with Skimer backdoor, criminals can withdraw all the funds in the ATM or grab the data from cards used by the machine: including the customers' bank account numbers and PIN codes. It sits surreptitiously gathering information, much like a sleeper agent, until it is activated.

Crooks use a special procedure to recover card data, as Kaspersky Lab experts explain:

In order to wake it up, criminals insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command or request commands through a special menu activated by the card. The Skimer's graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.

With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card's chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM's receipts.

Below is a video put together by Kaspersky Lab illustrating how money mules interact with an infected ATM.

Data from skimmed cards is used in order to create counterfeit copies of these cards later, a process made more difficult by innovations such as chip and PIN but still possible in many geographies.

Skimer was first distributed extensively between 2010 and 2013. Its appearance spurred the creation of other strains of ATM malware such as the Tyupkin family, discovered in March 2014, which became the most popular and widespread threat of its kind since. This year has seen the return with a vengeance of Skimer, the original gangster of the ATM malware world.

Kaspersky Lab has now identified 49 modifications of the Skimer malware, with 37 of these modifications targeting the ATMs of just one of the major manufacturers. The most recent version was discovered at the beginning of May 2016.

With the help of samples submitted to VirusTotal, a picture of a very wide geographical distribution of potentially infected ATMs emerges. The latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe: UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic. Samples were likely uploaded by either bank or third-party security response staff investigating suspected infections.

More details on the threat can be found in a blog post by Kaspersky Lab security researchers Olga Kochetova and Alexey Osipov that features code snippets and indicators of compromise related to the malware. ®